Is there a way to encrypt Syslog traffic using TLS like syslog-ng or rsyslog do? I'm trying to avoid having to set up syslog-ng or rsyslog on the Sumo Logic Collector box in order to receive the encrypted Syslog traffic and forward it to the Sumo Logic Collector.
Unfortunately, the Collector does not currently support receiving TLS syslog data directly with a Syslog Source. You need to set up an intermediary service to receive the TLS data and then forward the plain text to the Source. An alternative to using syslog-ng or rsyslog for this is to use stunnel. As described on https://www.stunnel.org, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
Download from https://www.stunnel.org/downloads.html. Or, on CentOS/RedHat, you can run the following command to install stunnel:
> yum install stunnel
Once installed, generate a key/cert on the host, and then use a stunnel config similar to the following to proxy the syslog data:
cert = /etc/stunnel/stunnel.pem sslVersion = SSLv3 chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 output = stunnel.log client = no [syslog] accept = 1543 connect = 1514
In this example, we're listening for incoming TLS connections on the host port 1543/TCP ("accept = 1543"). Then this forwards the plain text data to port 1514/TCP, ("connect = 1514") or the port defined in the Collector Syslog config, via the loop back.
For complete instructions, see Configure a Syslog Source.
Find more information on Stunnel and its available configuration options, see: